17.sudo User Management

. sudo user Management

Experimental requirements:

1. Understand the user management mechanism of Linux system;

2. Add special permissions for the specified user.

Laboratory Equipment:

Software:

1. A VMware virtual machine with RHEL6 installed.

Hardware:

1. One PC machine.

Background knowledge:

1.Sudo User Management

In a Linux system, administrators tend to be more than one person, and if each administrator manages the work as root, it is impossible to figure out who to do. So the best way to do this is: The administrator creates some ordinary users and assigns a portion of the system administration work to them.

We are not allowed to use SU to direct them to root because these users must know the root password, which is unsafe and does not meet our division of labor requirements. The general practice is to make use of the settings of permissions, classify them according to the nature of the work, let the users of special identities become the same workgroup, and set workgroup permissions. For example: To wwwadm This user is responsible for managing the Web site data, the general Apache Web Server process httpd owner is WWW, you can set the user wwwadm and www as the same workgroup, and set the Apache default storage page Directory/usr/local/ Httpd/htdocs's workgroup permissions are readable, writable, and executable so that each user belonging to this workgroup can manage the Web page.

However, this is not the best solution, such as the administrator wants to grant a normal user to shut down the permissions, then the use of the above method is not ideal. At this point you might think, I just let this user be able to execute the shutdown command as root. It's true, but unfortunately it's not possible to do this in a typical Linux system, but there are tools that can implement this functionality--sudo. Sudo is a very useful tool on the Unix/linux platform that allows system administrators to assign some reasonable "power" to ordinary users to perform tasks that only superuser or other privileged users can accomplish (mainly as commands), such as running some like Mount,halt, A command such as Su, or edit some system configuration files, such as Halt, Su and other commands, or edit some system configuration files, such as/etc/mtab,/etc/samba/smb.conf, etc. This has not only reduced the number of logins and administrative time of the root user, but also improved the security of the system.

sudo assigns privileges to different users by maintaining a database of privileged-to-user-name mappings, which can be identified by a number of different commands listed in the database. In order to obtain a privileged entry, the eligible user simply enters sudo and the command name at the command line, following the prompts to enter the password again (the user's own password, not the root user password). For example, sudo allows a normal user to format the disk, but does not give other root privileges to the user.

sudo power allocation method, add a line of information in the configuration file/etc/sudoers in the following convention format.

User name hostname = (run user name) to run command

Example 1. SMB all= (All)/usr/sbin/useradd

Example 2. SMB all= (All) nopasswd:/usr/sbin/useradd

Experimental steps:

1. Switch to the normal user, enter the command "SU-SMB" in the terminal, the SMB user is a normal user created by the root user (can also use the previously created win user to experiment); "Useradd XW" adds a person user, as shown in 3-158. Indicates that the SMB user does not have permission to add a new user.

Figure 3-158

Adding an XW user interface to an SMB user

2. Add useradd Add user rights for SMB users, first switch back to root user, open the profile "Vim/etc/sudoers", add 119 lines to the end of the file "save" "exit", as shown in the following 3-159;

Figure 3-159

Modifying a configuration file/etc/sudoers

3. Switch back to normal user SMB, use the command "SU–SMB", then use the "sudo useradd xw" command to add the user "XW", enter the SMB user password, and through the "ls/home" command to view the home directory generated "XW" user directory.

Figure 3-160 Adding a normal user XW

4. Skip the way to enter the SMB user password to add useradd permissions for the SMB user, switch back to the root user, and then modify the/etc/sudoers file to add "SMB all= (All) Nopasswd:/usr/sbin/useradd at the end of the file" , "Save" "exit", 3-156;

Figure 3-161

Add a normal user XW

5. Modify the configuration file/etc/sudoers

Use "SU-SMB", switch back to the SMB user, use the command "sudo useradd xw1" To add the ordinary user xw1, compare the 3rd step can be found, add the "nopasswd" parameter after adding the user can skip the steps to enter the password, 3-162;

Figure 3-162

Add XW1 User

Summarize:

Through this experiment we should be familiar with the use of the sudo command in Linux to manage the normal user rights.

17.sudo User Management